FortiOS 6 – SSL/SSH inspection

SSH MITM deep inspection

As vulnerabilities of OpenSSH continue to be exposed, it has become necessary to detect such attacks, which requires the ability to decrypt the SSH tunnel to check the data. This feature introduces comprehensive security controls on SSH Man-in-the-Middle (MITM) deep inspections, including:

  • SSH filter profiles to control SSH tunnel types and filtering on SSH shell commands. l SSH proxy policies to apply a proxy firewall policy with user authentication on SSH session.
  • Support for SSH tunnel policy to perform access control for TCP/IP port forwarding traffic that is tunneled through the SSH proxy. IPS scanning can be applied to the tunneled traffic. l Support for SSH trust to detect and prevent SSH MITM attacks.

SSH MITM deep

Syntax

  1. Add SSH related option in ssl-ssh-profile for proxy mode profile
    1. Add option to bypass or block unsupported SSH protocol (Deep scan only supports SSH 2.0)

config firewall ssl-ssh-profile edit <name> config ssh set unsupported-version {bypass | block}

next

end

end

  1. Add option to enable SSH proxy policy check

config firewall ssl-ssh-profile edit <name> config ssh set ssh-policy-check {enable | disable} set ssh-tun-policy-check {enable | disable}

next

end

end

  1. Move block/log options for x11-filter/ssh-shell/exec/port-forward to SSH filter profile
  1. SSH filter profile
    1. Support options to block or log x11-filter/ssh-shell/exec/port-forward/sftp

config ssh-filter profile edit <name> set block {x11-filter | ssh-shell | exec | port-forward | sftp} set log {x11-filter | ssh-shell | exec | port-forward | sftp}

next

end

  1. Add Shell command filters

config ssh-filter profile edit <name> config shell-commands edit <id>

set type {simple | regex} set pattern <cmd-string> set action {block | allow} set log {enable | disable} set alert {enable | disable} set severity {low | medium | high | critical} next

end

set default-command-log {enable | disable} end

SSH MITM deep inspection

  1. Allow SSH filter profile to be set for config firewall policy when UTM is enabled.
  2. Support SSH proxy policy for SSH sessions
    1. Add a proxy type ssh into config firewall proxy-policy

config firewall proxy-policy edit <pol-id> set proxy ssh

next

end

  1. When user/user-group is set in SSH proxy policy, firewall authentication can be done for SSH proxy traffic. Authentication rule for SSH is added:

config authentication rule edit <name> set protocol ssh

next end

  1. “Basic” authentication scheme:

config authentication scheme edit “ssh-active” set method basic

set user-database “local” #or LDAP server

next

  1. “ssh-publickey” authentication scheme:

config authentication scheme edit “ssh-pkey” set method ssh-publickey

set user-database “local” #or LDAP server set ssh-ca “server-ca”

next

User name is embedded in ssh-publickey. User group information will be retrieved if the publickey is validated by CA.

  • Both “Basic” and “ssh-publickey” authentication scheme:

config authentication scheme edit “ssh-pkey” set method basic ssh-publickey set user-database “local” #or LDAP server set ssh-ca “server-ca” next

  1. Support SSH tunnel policy to do access control for TCP/IP port forwarding traffic.
    1. Add a proxy type ssh-tunnel into config firewall proxy-policy

config firewall proxy-policy edit <pol-id> set proxy ssh-tunnel set action {accept | deny}

next

end

  1. Support allow or deny and IPS sensor/app-control the traffic.
  1. Support SSH trust to detect and prevent from SSH MITM attacks

SSH MITM deep

  1. Define trusted SSH hostkey for specific SSH server

config firewall ssh host-key edit <name> set status {trusted | revoked} set type {RSA | DSS | ECDSA} set nid <NID of ECDSA key> set ip <ip> set port <port> set hostname <name> set public-key <hostkey>

next

end

  1. Define trusted/untrusted CAs for hostkey signing. Any hostkey signed by trust CA is trusted unless the hostkey is revoked.

config firewall ssh local-ca edit <name> set password <passwd> set public-key <public key> set private-key <private key> set source {build-in | user}

next

end

The system creates two build-in SSH CAs: Fortinet_SSH_CA and Fortinet_SSH_CA_ Untrusted. The CAs are used to re-sign a server host key with local host-key using trusted/untrusted CA when the server host key is trusted or untrusted.

  1. Define local hostkey templates for trusted re-signing. Be default, they are generated automatically.

config firewall ssh local-key edit <name> set password <passwd> set public-key <public key> set private-key <private key> set source {build-in | user}

next end

  1. The system creates different types of local host keys as default re-signing templates: Fortinet_SSH_RSA2048, Fortinet_SSH_DSA1024, Fortinet_ SSH_ECDSA256, Fortinet_SSH_ECDSA384, Fortinet_SSH_ECDSA512, Fortinet_SSH_ED25519, Fortinet_SSH_RSA1024.
  2. Admin can load their own local host keys and use them for MITM re-signing in config firewall ssh setting.
  1. Per-VDOM SSH settings

config firewall ssh setting set caname <trusted-ca> set untrusted-caname <untrusted-ca> set hostkey-rsa <hostkey-rsa> set hostkey-dss <hostkey-dss> set hostkey-ecdsa256 <hostkey-ecdsa256>

SSL server table for SSL offloading

set hostkey-ecdsa384 <hostkey-ecdsa384> set ed25519-key <ed25519-key> set host-trusted-check {enable | disble} end

  1. When a hostkey is trusted and signed by a CA, SSH proxy re-signs appropriate type of hostkey using trusted CA.
  2. When a host is trusted but not signed, SSH proxy sends back appropriate type of hostkey.
  • When a hostkey is untrusted and signed by a CA, SSH proxy re-signs a temporary hostkey (1 hour life time) using untrused CA.
  1. When a host is trusted but not signed, SSH proxy sends back a temporary hostkey (one hour life time).

SSL server table for SSL offloading

An SSL server table can now be used for SSL offloading. This feature was introduced with the release of FortiOS

5.4.0.

CLI Syntax

config firewall ssl-ssh-profile edit <name> set use-ssl-server {enable|disable}

next end

This entry was posted in Administration Guides, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.